RimuHosting Blog

Unknown Password Change – diagnostics

Often numerous people have access to an account, developers, owners, system administrators.

Occasionally they do things, they maybe shouldn’t – like changing the password – leaving all other people in the loop out.

When this happens its always good to make sure that you know who changed that password – because if it was not you, it was potentially an exploit of some sort

Its fairly hard to track down exactly WHO did this, however its easy to work out WHEN it happens, which allows you to look up other things to determine who

To determine when the password was changed you can check the /etc/shadow file . It looks like this

username:$6$grTvfe/KEnCrYpTeDPaSsWoRd5.:18449::::::

The random number on the end of that tells you when that password was changed. You can use it like this

root@hostname:~# date --date '1970-01-01 +18449days'
Mon Jul 6 00:00:00 UTC 2020

There is a much easier way to do this of course, and that would be like this

root@hostname:~# chage -l username
Last password change                                    : Jul 06, 2020
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : -1
Maximum number of days between password change          : -1
Number of days of warning before password expires       : -1

Now we know what date to look we can look at places like /var/log/auth.log or /var/log/secure and see things like this

$ zgrep "password changed" /var/log/auth.log
/var/log/auth.log:Jul  6 21:48:03 username passwd[2245]: pam_unix(passwd:chauthtok): password changed for username

This gives us an exact time – at which point you can look up logs for who logged in via SSH to change that

Jul  6 21:47:46 hostname sshd[2232]: Accepted publickey for root from 65.99.223.255 port 46284 ssh2: RSA 95:ef:8b:8f:21:04:82:76:f6:c6:7a:57:db:ac:ac:ac
Jul  6 21:47:46 hostname sshd[2232]: pam_unix(sshd:session): session opened for user root by (uid=0)

You may even see something like this instead

sudo: daniel : TTY=pts/1 ; PWD=/home/denial ; USER=root ; COMMAND=/usr/bin/passwd root

So Daniel logged in and ran sudo to change the password
So now we know they logged in as root, or daniel and the IP they came from. ‘whois’ tool can tell you what location approximately that IP is, and you can check if that was one of your own guys, or an exploit.

passwd -n 9999 user will prevent user from changing his password for many years. which may be an option to stop that happening.

Database passwords are much harder to diagnose. If somebody set the root password though you could see if that was via command line with something like this to give you an idea

grep -i -e "password" /home/*/.mysql_history /root/.mysql_history

Liz Quilty

, , , ,